<tt><font size=2>Jakob Schlyter wrote on 03/06/2009 09:16:15 AM:<br>
<br>
> after a short dicsussion with Roy, here is a more specific proposal:<br>
</font></tt>
<br><tt><font size=2>To be clear: We did not discuss the publish part (but
nolo contendere on that)</font></tt>
<br><tt><font size=2> <br>
> for each key we can specify two things - if it should be included
in <br>
> the signed zone file or not, and what RRset to sign.<br>
> <br>
> - for publication we use <publish/>.<br>
</font></tt>
<br><tt><font size=2>We did indeed discuss:</font></tt>
<br>
<br><tt><font size=2>> - for signing we use zero or more <sign>XXX</sign>,
where XXX is an <br>
> RRTYPE or OTHERS.<br>
> <br>
> if RRTYPE is ANY, we sign all RRsets with that key.<br>
> if RRTYPE is a specific type(s), we sign only those types.<br>
> <br>
> classic typical KSK: <sign>DNSKEY</sign><br>
> new style typical ZSK: <sign>ANY</sign><br>
> key for delegation only: <sign>DS</sign><br>
> <br>
> BUT, we might want to be able to sign everything not explicitly <br>
> selected, so a classic ZSK would then be:<br>
> <br>
> <sign>ANY</sign><br>
> <sign>DNSKEY</sign><br>
> <br>
> (since DNSKEY was explicitly selected by the KSK, and we want the
ZSK <br>
> to sign ANY RRset including DNSKEY).<br>
</font></tt>
<br><tt><font size=2>so:</font></tt>
<br>
<br><tt><font size=2><key></font></tt>
<br><tt><font size=2> <label>KEY-1</label></font></tt>
<br><tt><font size=2> <sign>ANY</sign></font></tt>
<br><tt><font size=2></key></font></tt>
<br><tt><font size=2><key></font></tt>
<br><tt><font size=2> <label>KEY-2</label></font></tt>
<br><tt><font size=2> <sign>DNSKEY</sign></font></tt>
<br><tt><font size=2></key></font></tt>
<br>
<br><tt><font size=2>leads to that KEY-1 will NOT sign DNSKEYs. (this is
exactly what I want)</font></tt>
<br>
<br><tt><font size=2>ofcourse, if you want the vanilla behaviour, you'd
need to specify</font></tt>
<br>
<br><tt><font size=2><key></font></tt>
<br><tt><font size=2> <label>KEY-1</label></font></tt>
<br><tt><font size=2> <sign>ANY</sign></font></tt>
<br><tt><font size=2> <sign>DNSKEY</sign></font></tt>
<br><tt><font size=2></key></font></tt>
<br><tt><font size=2><key></font></tt>
<br><tt><font size=2> <label>KEY-2</label></font></tt>
<br><tt><font size=2> <sign>DNSKEY</sign></font></tt>
<br><tt><font size=2></key></font></tt>
<br>
<br><tt><font size=2>This way, you can even specify keys for denial by
adding a key with <sign>NSEC</sign> and <sign>NSEC3</sign></font></tt>
<br>
<br><tt><font size=2>This is the granularity I was looking for!</font></tt>
<br>
<br><tt><font size=2>Thanks,</font></tt>
<br>
<br><tt><font size=2>Regards,</font></tt>
<br>
<br><tt><font size=2>Roy Arends</font></tt>
<br><tt><font size=2>Sr. Researcher</font></tt>
<br><tt><font size=2>Nominet UK</font></tt>